PSFree icon indicating copy to clipboard operation
PSFree copied to clipboard

Published 20 hours ago verified publisher icon kmeps4

Possible reason for payload injection crashing

Open mrdude2478 opened this issue 6 months ago • 0 comments

A while ago using older payload injection code (especially for loading newer goldhen versions)I was getting lots of crashing during the actual loading of the payload. Looking at lapse.mjs where payload is injected this is also using very similar code which for me was causing lots of crashing on older dongle software. (actually I spoke to you on discord a few months back about this).

function injectPayload() //dynamic payload inject - stooged
{
	if (payloadData.length > 0)
	{
   var payload_buffer = chain.syscall(477, new int64(0x26200000, 0x9), 0x300000, 7, 0x41000, -1, 0);
   var bufLen = payloadData.length;
   var payload_loader = p.malloc32(bufLen);
   var loader_writer = payload_loader.backing;
   for(var i=0;i<bufLen/4;i++) {
   	var hxVal = payloadData.slice(i*4,4+(i*4)).split("").reverse().join("").split("").map(function(s){return("0000" + s.charCodeAt(0).toString(16)).slice(-2);}).join("");
   	loader_writer[i] = parseInt(hxVal, 16);
   }
   chain.syscall(74, payload_loader, bufLen, (0x1 | 0x2 | 0x4));
   var pthread = p.malloc(0x10);
   chain.call(libKernelBase.add32(OFFSET_lk_pthread_create), pthread, 0x0, payload_loader, payload_buffer);
   showMessage("*** --- "+ payloadTitle + " Loaded --- ***<br><br>Press Circle to exit this page!");
   success();
   deepsleep();
  }
  else
  {
  	showMessage("No Payload Data!");
  }
}

Now this older code was replaced by leeful with this superior injection code:

function injectPayload() {
            //Buffer Array Method By Leeful
            var req = new XMLHttpRequest();
            req.responseType = "arraybuffer";
            req.open('GET', payloadFile);
            req.send();
            req.onreadystatechange = function () {
                if (req.readyState == 4) {
                    PLD = req.response;
                    var payload_buffer = chain.syscall(477, 0, PLD.byteLength * 4, 7, 0x1002, -1, 0);
                    var pl = p.array_from_address(payload_buffer, PLD.byteLength * 4);
                    var padding = new Uint8Array(4 - (req.response.byteLength % 4) % 4);
                    var tmp = new Uint8Array(req.response.byteLength + padding.byteLength);
                    tmp.set(new Uint8Array(req.response), 0);
                    tmp.set(padding, req.response.byteLength);
                    var shellcode = new Uint32Array(tmp.buffer);
                    pl.set(shellcode, 0);
                    var pthread = p.malloc(0x10);
                    chain.call(libKernelBase.add32(OFFSET_lk_pthread_create), pthread, 0x0, payload_buffer, 0);
                }
            };
        }

Leefuls injection code works much better and never crashes during payload injection, you should try modding your lapse.mjs and using and older chain.mjs (so it's compatible for chain calls above) file or by slighly modding leefuls code instead to load the payloads and you'll have far less crashing.

mrdude2478 avatar May 25 '25 17:05 mrdude2478